[Date Prev][Date Next]
Re: back-ldap problem with Win2000 Active Directory
At 06:50 PM 10/19/00 +0200, Bertrand Croq wrote:
> we are currently using slapd with back-ldap to connect to an Active
>Directory LDAP server:
> client <--> sldap
> back-ldap <--> Active Directory
> When doing some simple searches (ldapsearch -s one "uid=toto"),
>back-ldap crashes with the following message:
>slapd: result.c:518: send_search_result: Assertion `!(((0x51) <= (( err
>))) && ((( err )) <= (0x61)))' failed.
Likely same issue as ITS#831 <http://www.openldap.org/its/?findid=831>
> After some debug, it appears that AD sends some non-standard messages;
>in response to the search request, back-ldap gets the following message
>(captured with Ethereal):
> Result code: 0x09
> Matched DN: (null)
> Error message: Referral:
> The result code of 9 is not valid (it is written to be reserved in
>RFC2251) but OpenLDAP seems to understand that it is a referal.
That's an LDAPv2+ referral (which is not documented by any RFC).
>The problem is that the URL of the referal is not well parsed; in response
>to this search result, back-ldap sends another search request to the AD:
> Base DN: CN=Configuration,DC=thehost,DC=com??base
> Scope: Single
> There shouldn't be "??base" in the base DN and the scope should be
I don't recall LDAPv2+ support scope specifiers. "??base" likely
would confuse most LDAPv2+ implementations. But we likely allow
such. We have another ITS to address a related issue for LDAPv3
>Then AD replies with another result code 9 search result but
>with a referal to "thehost.com??base" which leads to the slapd crash.
Just "thehost.com??base" or "ldap://thehost.com??base".
Both are, of course, in valid... but we shouldn't crash on
But I note that the above crash is likely not related to
referral handling, but unknown authentication method issues.
I suggest you apply the patch noted in the above ITS and
retry. If you again crash, provide a stack trace back.
Also, in regards to referral handing issues, can you repeat
the errors using just ldapsearch -C and AD? I rather eliminate
slapd from this issue if possible.